Articles

By: (Security+)

Publication: The Kansas Banker , November 2016

 

Kansas Banker November 2016

We know encryption is the bees’ knees, that’s why we’ve been coming up with ways to encrypt messages since the time of ancient Greeks. But do our coworkers and family members understand what it means to
 use encryption in today’s technology landscape, if they’re using encryption at all?

In layman’s terms, encryption is about putting data inside a virtual safe and locking it with a key that only you have. In terms of communication, there are a series of locks and keys passed back and forth to turn your data into gibberish which can only be understood by the parties with the keys. 

Read Full Article

 

By: (CISA, CISSP, CRISC)

Publication: The Kansas Banker , March 2015

KansasBankerMarch2015On February 6, 2015, the FFIEC issued a new appendix titled "Strengthening the Resilience of Outsourced Technology Services" to the "Business Continuity Planning" booklet of the FFIEC Information Technology Examination Handbook. This new appendix discusses the following four key elements financial institutions should address related to Technology Service Providers (TSPs).

Third-Party Management

"Establishing a well-defined relationship with TSPs is essential to business resilience. A financial institution’s third-party management program should be risk-focused and provide oversight and controls commensurate with the level of risk presented by the outsourcing arrangement."

The guidance focuses on the following third-party management components:

Third-Party Capacity

Read Full Article

 

By: (CISA, CISSP, CRISC)

Publication: Nebraska Banker , September/October 2014

The Nebraska Banker Sept/Oct 2014 Phishing attacks are a part of everyday life, and according the “Global Phishing Survey 2H2013: Trends and Domain Name Use” by Anti-Phishing Working Group (APWG), the banking industry is the primary target of these types of attacks. So, what are phishing attacks and how can we protect our banks against these attacks?

What is a phishing attack?

A phishing scam is a type of social engineering attack that typically uses fraudulent electronic messages (email, text, etc.) appearing to come from legitimate sources. These messages usually attempt to acquire sensitive information or install malicious software by directing the recipient to click a link or open an attachment. Some common types of phishing include:

Read Full Article

 

By: (CISA, CISSP, CRISC)

Publication: VACB (Virginia Association of Community Banks)The Community Banker , Winter 2013

The Community Banker, Winter 2013 Recently we have seen a focus on vendor management during exams. Regulators have been concerned the quality of third-party risk management practices may not be keeping pace with the increasing level of risk and complexity of these relationships. As a result of this concern and new focus, the OCC released a Bulletin titled “Third-Party Relationships: Risk Management Guidance” on October 30, 2013. The bulletin provides guidance for assessing and managing risks associated with third-party relationships.

Risk Management Life Cycle

The guidance describes a Risk Management Life Cycle as a way to effectively manage third-party risk, see figure 1. This continuous life cycle process incorporates the following phases and practices:

Planning

Read Full Article

 

By: (CISA, CISSP, CRISC)

Publication: The Colorado Banker , September/October 2013

Colorado Banker Magazine September October 2013 Information security is a significant business risk that demands our attention. But too many times, the personnel tasked to oversee information security don’t have the time, resources or knowledge to do the job right. Although this article cannot provide the time or knowledge needed to make a true evaluation, it can help get the internal conversation stared. Answering the following 21 questions can help you measure your overall information security posture.

Risk Management

Risk assessments are the foundation of a good information security program, so the risk management process needs to be strong for the overall program to be strong. In regards to risk management, ask yourself:

Service Provider Oversight

Read Full Article

 

By: (CISA, CISSP, CRISC)

Publication: Nebraska Banker , July/August 2013

Nebraska Banker Magazine July August 2013 Bring Your Own Device (BYOD) is a hot topic in businesses today. I think every security and technology conference I have attended over the past few months has had a session over BYOD. One of the recent ones I went to labeled their session “BYOD, Bring Your own Device or Disaster?” In the session, like many others, the presenter discussed some of the issues related to introducing personal devices into a business. I think the issue escalates even more within the financial sector as confidentiality and security are more important. By allowing employees to use their personal devices for bank-related activities (e.g. email, access to the network, bank applications, etc.), the bank must deal with security issues, which can conflict with employees’ personal expectations.

Read Full Article

 

By: (CISA, CISSP, CRISC)

Publication: VACB (Virginia Association of Community Banks)The Community Banker , Spring 2013

The Community Banker, Spring 2013 In January, the Federal Financial Institutions Examination Council (FFIEC) released proposed guidance titled, Social Media: Consumer Compliance Risk Management Guidance.  According to the FFIEC, the proposed guidance "is intended to help financial institutions understand potential consumer compliance and legal risks, as well as related risks, such as reputation and operational risks associated with the use of social media, along with expectations for managing those risks."

Definition:

The term "social media" can mean many different things to different people.  For the purposes of the guidance, the FFIEC defined social media as "a form of interactive online communication in which users can generate and share content through text, images, audio, and/or video."  They also included the following examples of social media:

Read Full Article

 

By: (CISSP, CISA, Security+) and (CISA, CISSP, CRISC)

Publication: The Colorado Banker , January/February 2012

Colorado Banker January/February 2012 On June 28 of 2011, the FFIEC published a Press Release titled "Supplement to Authentication in an Internet Banking Environment." In the introduction of the supplement, they stated the FFIEC member agencies "have directed examiners to formally assess financial institutions under the enhanced expectations outlined in the supplement beginning in January 2012." The question is, is your financial institution in compliance with the new guidance? In this article, we will review the basic principles outlined in the guidance.

Purpose and Background:

Read Full Article

 

By: (CISA, CISSP, CRISC)

Publication: Western Independent Banker , November/December 2010

On January 26, 2010, six employees of a regional community bank received an email purporting to be about a recent wire transfer. Three of the email’s recipients were suspicious of the message and reported it to their IT group. The bank’s IT group verified the email was a phishing attack and deleted it from the six employee email accounts; however, one of the employees had already forwarded it to the bank’s wire person.

The email included an attachment called "detailspdf.zip" containing a file called "detailspdf.scr." This file is a Trojan, malware used to download further files onto the attacked computer. The wire transfer employee tried to open the file (assuming it was legit since it was forwarded to her by a bank officer). Apparently, the trojan then downloaded the additional programs the attacker needed to steal the username/password to login to their wire transfer website. With the login information, the attacker attempted to transfer funds to accounts overseas. In this case, at least part of the attack was prevented by a requirement for different individuals to initiate and approve all wire transfers. The attack appears to have originated from England.

Read Full Article

 

By: (CISA, CISSP, CRISC)

Publication: Texas Banking , July 2010

Social networking sites like Facebook, MySpace, Twitter, and LinkedIn are a topic on everybody's lips today. Our kids communicate with them; our customers are on them; our employees request them, but how do they fit into my bank's strategic plan, and what are the risks associated with these sites? In this article, we will look at the security and technology concerns related to social networking sites.

Each year, McAfee Labs produces a Threat Predictions report listing the top threats they forecast for the coming year. This year, McAfee listed social networking threats as the top two in their report: "1.) Social networking sites such as Facebook will face more sophisticated threats as the number of users grows. 2.) The explosion of applications on Facebook and other services will be an ideal vector for cybercriminals, who will take advantage of friends trusting friends to click links they might otherwise treat cautiously."

Read Full Article